Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What is the best way to design/define roles?

chris
Motivator
‎08-07-2012 01:54 AM

Hi

We had a little discussion about splunk architectures and how roles should be designed.
I was wondering if anyone has any hints/best practices to define roles.

My approach so far was to build indexes that are then assigned to roles in authorize.conf using the 'srchIndexesAllowed'. I try not to use the 'srchFilter' parameter if I can avoid it. I think that 'srchFilter' will have performance impacts and I created a mess once using inheritance and different search filters.

Regarding the capabilities I usually derive from the 'user' or 'power' role which are fine for 95% of the roles I have to define.

Feedback is appreciated

Chris

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎08-07-2012 02:15 AM

I also avoid using the search filter for roles. Once upon a time, it was about the only way to effectively segregate data. Occasionally, it is still useful. Like you, I believe that it adds unnecessary complexity without great benefits.

I like to have two types of roles:

  • roles that grant privileges (power, user, etc) BUT no data access. These roles do not give access to ANY indexes, not even main. Important: inheriting from a role that has index access will also inherit the index access, so be careful with the default roles!
  • roles that grant only basic user privileges AND give access to one or more indexes.

Each user is assigned at least two roles: one for their capabilities and one for their index access.

This lets me keep a very clean set of roles. I got the idea from Gerald, of course; the #1 ranked person on Splunk Answers!

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎08-07-2012 02:15 AM

I also avoid using the search filter for roles. Once upon a time, it was about the only way to effectively segregate data. Occasionally, it is still useful. Like you, I believe that it adds unnecessary complexity without great benefits.

I like to have two types of roles:

  • roles that grant privileges (power, user, etc) BUT no data access. These roles do not give access to ANY indexes, not even main. Important: inheriting from a role that has index access will also inherit the index access, so be careful with the default roles!
  • roles that grant only basic user privileges AND give access to one or more indexes.

Each user is assigned at least two roles: one for their capabilities and one for their index access.

This lets me keep a very clean set of roles. I got the idea from Gerald, of course; the #1 ranked person on Splunk Answers!

Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...